UI and security improvements

2026-05-18 20:02:22 -04:00 · 2026-05-18 20:02:22 -04:00 · b8c4914a52
commit b8c4914a52
parent 9a272ee959
13 changed files with 136 additions and 80 deletions
--- a/docker/router-dash/app/action_apply_vlans.py
+++ b/docker/router-dash/app/action_apply_vlans.py
@ -41,12 +41,14 @@ def _derive_vlan_id(subnet, prefix):
@bp.route('/action/add_vlan', methods=['POST'])
@require_level('administrator')
 def add_vlan():
-    name            = sanitize.name(request.form.get('name', '')).lower()
+    name            = sanitize.name(request.form.get('name', ''))
    is_vpn          = 'is_vpn' in request.form
    subnet          = sanitize.ip(request.form.get('subnet', ''))
    subnet_mask     = sanitize.subnet_mask(request.form.get('subnet_mask', ''))
    radius_default  = 'radius_default' in request.form
    mdns_reflection = 'mdns_reflection' in request.form
+    use_blocklists  = sanitize.filterlist(request.form.getlist('use_blocklists'),
+                                          {b.get('name') for b in load_core().get('blocklists', [])})

    if not name:
        flash('Name is required.', 'error')
@ -81,7 +83,7 @@ def add_vlan():
        'is_vpn':          is_vpn,
        'subnet':          subnet,
        'subnet_mask':     subnet_mask,
-        'use_blocklists':  [],
+        'use_blocklists':  use_blocklists,
        'radius_default':  radius_default,
        'mdns_reflection': mdns_reflection,
    }
@ -104,11 +106,12 @@ def edit_vlan():
        flash('Invalid request.', 'error')
        return redirect(VIEW)

-    name            = sanitize.name(request.form.get('name', '')).lower()
+    name            = sanitize.name(request.form.get('name', ''))
    subnet          = sanitize.ip(request.form.get('subnet', ''))
    radius_default  = 'radius_default' in request.form
    mdns_reflection = 'mdns_reflection' in request.form
-    use_blocklists  = request.form.getlist('use_blocklists')
+    use_blocklists  = sanitize.filterlist(request.form.getlist('use_blocklists'),
+                                          {b.get('name') for b in load_core().get('blocklists', [])})

    # subnet_mask is only present when the column is visible (not all edit paths send it).
    # Validate if submitted; fall back to the stored value otherwise.